Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use,
ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Email Address:

We never sell or give out your contact information.
We respect our readers' privacy.

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

An interesting discussion happened in the comments about HIPAA secure fax services in regards to the security of email. Being a tech person who formerly managed a few different corporate email systems, sometimes I forget that many people don’t understand some of the details about the security (or lack of security) that’s provided by email.

The short story is: Email is NOT HIPAA Secure (at least in 99% of cases)

There is a way to encrypt email sent between 2 email systems, but so far a standard and mechanism for encryption between all the vast number of email providers has not been established. I won’t go into the details of why this is the case (cost of encryption, standards for encryption, etc), but suffice it to say that almost none of the email systems send encrypted email that would satisfy the HIPAA requirements.

In fact, most times when an EMR, PHR or other patient portal wants to send a secure email/message to someone they send an email which contains a link to an encrypted website that has a unique login. The reason they do this is because there’s no recognized and adopted standard for encryption of email. However, presenting Protected Health Information (PHI) through an encrypted webpage where someone has a unique login is HIPAA compliant and doesn’t require the receiving email system to understand the encryption. It’s a pain, but it’s the reality of privacy of health information right now.

One of the major reasons that many people think that email is secured is that a number of email providers (Gmail being the most famous for this) turned on encryption for all of their users. The misunderstanding is that this encryption is just for users logging in to check, read and send their email. It does not encrypt the email as it it sent from Gmail to the destination email system. Aleks, from Sfax described it similar to a postcard. It’s open where anyone listening can see what’s in the email with no traces left behind.

The only security email partially offers in this manner is the volume of emails that are sent. There’s such a huge volume of useless emails that there’s some security by obscurity benefits. Although, that security doesn’t meet well with the HIPAA requirements. Plus, remember that one thing that computers are great at doing is crunching large amounts of data.

One minor exception that I might make is that if you’re sending email in an internal email system, then it’s possible to set up email encryption. This is possible because you control the email system for the sender and the receiver and so there are ways to do this. However, I know very few people that have actually set this arrangement up. Probably because if they are on your internal email system they usually have access to your EMR and all the PHI can remain in the EMR instead of your email system.

Now many have said that you shouldn’t use the free email providers like Gmail. After reading this it should be clear. You shouldn’t use ANY email provider for sending PHI. So, whether you use Gmail or some other free email provider it shouldn’t matter since I’m sure you won’t be sending any PHI through email any more.

Of course, I’d recommend you use the free Google Apps version of Gmail since DrSmith@yourpractice.com is so much more professional than DrSmith985373@gmail.com. Although, that’s kind of a topic for a different discussion.

63 responses to "Email is Not HIPAA Secure"

Wow. This news is incredible, John. I know that one of the selling points of eHRs is the ability for patients to monitor their own records. Not being capable of sending them by email sort of kills that dream.

Patients can monitor their record using an EHR. They can also get email notifications that their EHR has been updated. However, it can only include links to a patient portal or PHR where they access the information securely. It can’t include health information in the email itself.

I know of many practices are getting around this rule because the patient requested their own record(s) be sent to them via email…the PHI is just not emailed to anyone besides the patient (i.e., another practice or doctor) without the patient written authorization. This practice still doesn’t pass the smell test with me nor am I sure it’s right, cleartext is cleartext!

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.

There are 3 different mechanisms at play here and sometimes it seems like they get scrambled. Encrypted email IS available, btw.

Email transport: when connected to your email provider using https or SSL, the transport of your email is encrypted. As mentioned in the blog, the email itself is not encrypted once it arrives at your email provider nor is it encrypted at its destination (aka “clear text”).Email Encryption: offered by a number of companies (an example would be ZixMail), their process creates a fully encrypted email that can be read by patients without installing any software (they open the email on a secure website).Secure Messaging: really easy to do if you have your own (secure) patient website…the patient just logs in, and they can send and receive “messages” to/from their provider…these are not really messages, just data packets that flow on the internal plumbing of the web application, arriving on the secured web browsers of the sender/receiver. Many flavors of this, but all require both parties to have access to a secure portal, which not everyone wants to deal with.

Bottom line for me: true HIPAA compliance does really require encrypted email or secure messaging, since the behaviors by patients and other providers cannot be guaranteed to be secure.

BTW, IM (Instant Messaging) is secure ONLY when hosted internally on your own servers and not sent to external users (like patients).

The other thing to balance when talking about the security of messaging using email is that just because it is legal doesn’t mean that it doesn’t still open you to someone a lawsuit. I think that the idea that you “got consent” from a patient to be able to use email likely means that it’s ok to send patient data over regular email, but that doesn’t necessarily mean it won’t come back to bite you later.

As Mike points out, there are some secure options for sending email, but they aren’t native email. They always link to another source like a secure website (unless as I describe above that you can setup the security on both sender and receiver). Of course, even to send it using a link to a secure website you have to have a method to ensure you’re getting the correct email (similar to what you might do with a phone number you call or address where you’d send info).

Biggest problem with all of this is that it’s new territory that likely hasn’t been tested in the courts. So, some of it still needs some good legal precedence.

D. Kellus Pruitt DDS,
I’d be interested in seeing a small scale non-enterprise email encryption solution as well. I’m guessing it wouldn’t be inconvenient since it would just have your email pass through there server or would have a plugin on your server to do the encryption. Although, I’m guessing it would be one more device for you to manage. Unless there’s a hosted solution (which has it’s own HIPAA issues).

I googled “EMR, encryption,” and nobody is purchasing Google ads to help sell the product to providers, if that means anything. In addition, almost all of the hits on the first page involve only the usual comments promoting the adoption of encryption to satisfy HIPAA/HITECH requirements – with possibly only one or two encryption vendors with ads in the bottom half of the page. The 9th hit is for MediVault, which offers “Secure Online Backup Encryption” ranging in price from $30 to $50 a month.http://www.medivault.ca/security/encryption

It looks to me like a lot of stakeholders are pinning all their security hopes on a product that is not yet available.

Matt,
Thanks for the link. That provides some great information on the subject.

D. Kellus Pruitt DDS,
I think the reason for that is that encryption isn’t a criteria that doctors use to search for an EMR. Certainly ensuring that it’s HIPAA compliant is on their list, but levels of encryption and use of encryption isn’t really an EMR selection criteria. It might become a factor and discussion after the fact, but rarely during the search.

Plus, let’s be honest that most practices definitely want to be HIPAA compliant but they don’t necessarily want to go to the work of really knowing the details of what that means. Maybe that’s a bit cynical and there are exceptions, but that’s just what I see.

John, you’ve done a great job creating a thread and info on a tricky but very important topic.

For readers doing their own research, just google “secure email” and “encrypted email”, you’ll find dozens of listings, but careful – some are just “secure email” (sent through a secure pipe, aka worthless for us) rather than encrypted email. But really – email encryption has been around in a viable and affordable form for several years.

Some are companies that have wrapped special services or functionality on top of the Zixmail platform (I have no affiliation with them, btw), others have their own standalone product. Comodo is one of those, VERY inexpensive ($12/year/person), but the difference between a Comodo approach and a Zixmail approach is that Comodo is all or nothing – it will encrypt all emails for the account you register…could be good or could be a pain, depends on your needs.

Zixmail uses business and medical lexicons to sniff out if the email you’re about to send should be encrypted and does it for you, but leaves regular non-medical emails unencrypted. One the Zixmail vendors had a fee of about $40/month/user…that is not a high price to pay.

Most systems use security certificate exchange and so often don’t need to install special software at your recipient. Instead, for the first emails you set up digital signatures (automatically) and from that point on, that recipient can be an encryption target.

I’m the technology exec at Qliance (a primary care startup), and one of my tasks is security and compliance. It’s a big deal, as in simple to understand but quite difficult to properly implement and manage when you’re talking about many clinics plus public patient interactions via a patient portal.

John, I too appreciate the work you put into the EMR and HIPAA forum. I guess my next question on this fine Christmas morning is, if encryption is so simple and cheap, how come it is not more prevalent? If you had to guess, what percentage of hospitals and ambulatory healthcare clinics do you think currently encrypt data at rest as well as in motion?

I know for a fact that hardly anyone encrypts anything in dentistry. I cannot even get Dentrix, the largest seller of eDRs, to respond to my questions concerning encryption. I would think if the dental industry knew how easy it is to avoid almost all of the liabilities of data breaches, they would jump all over it.

D. Kellus Pruitt, DDS,
I understand vendor’s like Schein, Patterson, and Kodak (to name a few) consider their PM software (i.e., data) “protected” due to their recommended use of unique UserID/Password and the user permissions configured within. They explain if done as suggested the PHI cannot be accessed, but each of these applicaitons also allow PHI to be emailed from within their programs as long as an existing email account are configured on the machine, which as we are discussing in this post is itself a HIPAA violation.
“They” won’t recommend encrypting backups due to the potential restoration issues surrounding such and will again state their data is protected and cannot be accessed without the UID /PW to the office’s PM software.
I know unprotected images can be viewed separately but such are only associated/identified with patients from within their program which is concerning because they can still be viewed…

Thanks packets. But the issue still begs the same question: If encryption is simple and cheap, other than perhaps restoration issues, why isn’t it being done? I assume that encryption is as rare in physicians’ offices as it is in dentists’ offices.

As far as passwords go, they may keep out the curious novice, but there are programs that can be purchased that will blow right on past passwords.

Encryption is neither simple nor cheap and is the cart before the horse! You’re correct, the bigger concern is the fact that most dental practices still permits their domain users internet access and allow users to run with full administrative privileges on the local machine. Social engineering has proved to work every time it’s tried…encryption whether implemented or not is the least of the security issues. The weakest link and the havoc they can wreak must first be addressed!

Any database-based EMR (nearly all; there’s a couple simple ones that use flat files(bad idea)) stores most data in clear text (can be read directly), so anyone with the ability to query the database can access the data. That’s the “data at rest” aspect D. Kellus Pruitt, DDS mentioned a while back. We’ll normally encrypt specific data elements like credit card number, but it’s not feasible or practical to encrypt an entire database. Encrypting an entire database would make it unbearably slow and non-scalable.

Data that gets taken offsite (like backup tapes) must be encrypted. As Packets mentioned, restores of encrypted backups can be problematic, but mostly with older tapes/equipment. Portable devices (laptops, PDAs, smartphones) that are allowed to store patient data…well, that’s just a really bad idea period, but if you allow it, that data must be encrypted.

When I say “must be encrypted”, I mean must be encrypted to avoid a HIPAA violation if that tape or laptop gets stolen and the data accessed. The big HIPAA violations and data breaches you read about are largely due to unencrypted data on a portable hard drive, a laptop, or a backup tape. The real violation (big fines) then occurs when the owner of the patient data doesn’t properly notify both the regulatory agencies and the patients “in a timely manner”.

So…if your databases are properly secured (role-based permissions preventing regular staff from running direct queries), and your app is secured via login and password, your “data at rest” is considered secured. If your “edges” are tight (laptops, etc are secure, and remote access is secure), then your degree of security is pretty high.

Your next place of exposure is where you provide data to patients. I simply would NOT provide patient data in UNencrypted emails…then you can sleep at night. Either they agree to use your encrypted email service, or hit your secure patient portal, or you can mail them their info. I would not allow faxing to an unsecured location since you cannot guarantee who will view the contents.

In our system, we have all medical faxes come into an electronic fax system (FoIP – Fax over IP, like VoIP). In that scenario, the fax files (tiff image files) are never exposed to printing or viewing. Instead, our medical records staff reviews them on a screen, indexes them, and applies them to the appropriate location or patient record. That staff is trained in HIPAA procedures and policies.

Packets was completely correct on behavioral aspects: a security system is only as good as the people using (or abusing) it. Well trained, cooperative staff are essential.

Great info and obviously I haven’t kept up my responses to all the conversation (which is a great thing I think) even though I wish I could.

Anyway, just a few additional comments/responses:
D. Kellus Pruitt DDS,
I’d guess that probably 80-90% of EMR software is encrypted between the computers that access the EMR software. That’s pretty widespread. I honestly can’t think of any that I know of that haven’t implemented this well. Although, I’m sure there are some that haven’t done so and more importantly there are clinics that haven’t implemented it the right way.

Now, as far as encrypted email, I’d guess that maybe 10% (if that) do encrypted email. A few more do secure messaging (link to a patient portal that requires a login), but still pretty small. Most doctors that I’ve talked to aren’t ready to open up those lines of communication with their patients.

As far as email communication of PHI…
I’m with Mike Sofen on this. If you want to sleep well at night, you’ll be sure the email communication is encrypted or secured appropriately. Sending an email with PHI in clear text even if you got the patient permission is walking a tight rope in my opinion.

Obviously, I won’t get started on all the other potential security issues in a clinical practice. We’ll save those for future posts:-)

What about the patient (me) who WANTS e mail communications for the convenience of me, the CONSUMER and who has waived in perpetuity the so-called “rights’ under HIPPA? There is no HIPPA excuse not to use e mail yet docs still refuse. Where can a consumer find a service provider who will be responsive to their (the consumer’s) preferences of convenience over security?

Thanks to John for defining the existing disparity between HIPAA requirements and 99% of the email communication out there.

Welcome to the max.MD 1%!

All of our products are entirely HIPAA, HITECH and NIHN compliant. Senders and recipients can communicate from any computer, tablet or smartphone. Unlike every other description in the article, this product suite is extremely easy to use. Because it is so intuitive, most users will not require any form of training.

We also want to highlight the affordability factor. Our products and services help groups reduce the need for overnight letters and CD’s. By eliminating just one overnight letter per week, the cost of using mdEmail can be recovered.1

We have combined some of the best technologies in Web 2.0 communication, including:
– .md Top Level Domain
– Use of that domain as a secure transport layer (Patent Pending)
– State-of-the-art servers and encryption / decryption
– Solutions for communication with anyone, anywhere2
– Solution for secure group discussion, with applications in collectively investigating maladies or in home health care coordination
– Digital signature for paperless forms and contract completion
– Scalable from small office to global enterprise using cloud computing
– Integrated into several EHR/EMR applications
– Supports transport of PHI to Clinical Data Repositories or Health Information Exchanges

In summary: no other solution is as robust, as user friendly, or as timely. Further info can be found at http://www.max.md

I hear you, Jim Hanlon. And yes, HIPAA sucks. However, until max.MD or another new product improves the level of security, unencrypted emails from doctors to patients are out of the question according to the HITECH Act of 2009. The Geisinger Health System data breach mentioned earlier didn’t even expose information that could be used by an identity thief, and may or may not have involved what you and I would consider sensitive personal information. Yet today, Denise AllaBaugh posted “Patient contacts lawyer after protected health information compromised.” on the thedailyreview.com.http://thedailyreview.com/news/patient-contacts-lawyer-after-protected-health-information-compromised-1.1083367

“Hazleton resident Shannon Konopinski worries her personal health information and family medical history could end up on the Internet and she has contacted lawyers.

She is upset about a letter she received stating that a former Geisinger Wyoming Valley Medical Center physician sent her protected health information to his home e-mail in an un-encrypted manner.”

I’d say she has a good case. The country is getting fed up with Wikileaks of all kinds.

Jim,
The problem with the law is that even if you’ve waived your right to it, the law is still such that the doctor could still be held liable. Or at least it’s vague enough that it’s definitely a risk for a doctor to do it.

A part of me is actually glad that someone is bringing a case against email like this. Mostly because the case will set a precedent that will at least give better guidelines of how the law will be enforced and defined.

Oh yes, and I’ll have to look at max.md. I’d love to know which EMR software integrated with max.md and how they integrate. Will you be at HIMSS? I’d love to see it in person and talk more about the implementation details.

[…] (PHI) to his home email in an un-encrypted format. The irony is that for the past week, my post on Email not being HIPAA secure has been having a really good discussion happening in the comments about these very issues (you […]

MaxMD solutions have been integrated into 3 EHR solutions from eCast, Azzly and WorkFlow. We have more collaborations in the pipeline. In addition to meeting 100% of the Technical and Security standards of HIPAA and HITECH, the MaxMD secure transport layer conforms to the Policy standards of the NIHN Direct project.

We are a Health Information Service Provider (HISP). MaxMD’s range of products were designed to address the communication needs of every patient, provider, consultant, business entity or enterprise operating under the government healthcare requirements.

The product suite works seamlessly with familiar email products such as Outlook, Thunderbird or Mac Mail. Our streamlined webmail client allows individuals to work from any computer. The history is audited and synchronized, showing users which messages have already been read. This is especially useful when an individual has a desktop computer, laptop computer and perhaps a smartphone or a tablet. Because we function over the iPhone, Android, Blackberry and Palm, individuals can work when they want, where they want.

Part of the thread demonstrates the patient side of the debate. For Jim’s benefit, please be advised that mdSecureSend (one of the bundled communications products in our $8.50/month suite) allows patients to initiate a secure email – in full HIPAA, HITECH, and NIHN Direct compliance.

Now every aspect of wellness can be reinforced through better, easier, and secure communication.

I noticed that nobody here mentioned Voltage SecureMail Cloud. It appears to be very simple, and is what we will be reccomending to our customers that have Exchange internally. At $65/yr per email accoutn, it’s reasonable. One other item I liked, is that the email is not stored on a server ‘in the cloud’, so no concenr of who is maintaining it.http://www.voltage.com/vsn/index.htm

Oddly enough, I got turned on to them via Microsoft. Voltage is used by Microsoft in their Hosted Exchange Product.

We have been using the zixgateway for many years for mail going ouside our company being encrypted for both HIPAA and GLBA requirments. The initial setup does work well, but it is also customizable, and Zix tech support has always been helpful and knowledgeable.

Most of the hospitals in the area use zix, so it is convenient for us to have it go encrypted out of our system, and be automatically decrypted to theirs (and vice versa).

The mail does have another option other than it going to the recipient as an encrypted attachment. It also has the option of going (still encrypted) to a web portal that allows both sending and recieving of encrypted e-mails by non-zix customers. This allows patients to instigate a secure e-mail at no cost. Some customers are reluctant to sign up for this free service though, so the zixdirect is still an option.

The gateway can be somewhat pricy for a small company however, and for that they do have both hosted services (cost unknown), and an individual desktop client (zixmail) which is less than $100/user/year. It allows the person, with a single click, to encrypt the mail going out. I believe it does not include zixdirect though, only the portal option.

The others products that have been mentioned in this blog are good as well. I just figured having some experience with this kind of thing on the tech side, it might add some thoughts. Ultimately, weighing what works best for your company/application and risk acceptance can be the only judge.

Google Apps and Gmail, or any email you use, can be HIPAA compliant using zsentry.com. Standard encryption technology with the unique ZSentry Sans Target method keeps email safe and HITECH Safe Harbor compliant, sending data between parties as regular email without pre-arranged passwords. Even Google can’t read it (…not that they would want to…). It doesn’t require installation of any software, which is great for usability, and it even adds functionality such as self-destruct, with message level access control. It’s also free for patients and personal use. Price starts at $2.99.

Thanks for sharing another possible solution Joe A. Although, your website does a terrible job explaining how it works. From your website:
“You select the secure email account in the From drop-down list, and click Send . To read and reply to a secure email, you click Read. This works in the Gmail or Google Apps screen, or in a Mail Client using your Google account.”

Uhhhh…that doesn’t tell me how it’s encrypted (which is the most important part of how it works to me).

I did find this description later on the same page, “The user clicks Compose and sees a drop-down list for the ‘From’ address. The user selects the ‘From’ address that uses ZSentry, writes the email, then clicks Send.”

What’s a ‘From’ address that uses ZSentry?

It’s too bad there’s no third party service that certifies various applications that claim to be HIPAA compliant (ie. Email, Fax, EMR/EHR, etc). Could be a great business if done right I think.

Thanks for noticing how simple it is to use. A ‘From’ address that uses ZSentry is exactly that, as people see when they use it. ZSentry and secure email ZSentry Mail have been extensively peer reviewed since 2004, with publications listed in the site. To see how it works, you can go to the FAQ page at http://zsentry.com/security-email-faq.htm and see, for example, Why is ZSentry secure? and other questions.

Joe A.
Ok, I was thinking the To email, not the From email. I think I follow a little better now. If I send an email to johndoe@hotmail.com from my secure ZSentry email, how do they receive it? Do they get a link to see an encrypted copy? How does hotmail know how to decrypt the message?

Your website tells me that it’s encrypted and tells me the other nice buzzwords you implemented, but it doesn’t tell me the practical details of where the email gets encrypted when I click send in google apps and how the receiver is able to decrypt the email once they get it.

Also, are you willing to sign a Business Associate agreement with a medical practice?

It’s one thing to have a list of publications that talk about your service and write about the details of what you tell them and another for a third party to verify in depth what you’re telling people about HIPAA security is actually happening. Plus, how many publications really understand HIPAA that well that they could do an in depth analysis of how well a service complies with HIPAA.

To be clear, I’m not saying if you do or don’t comply. It does seem like you’ve made a good effort to comply. I’m just saying that I don’t know any company that does a real solid, in depth job of ensuring HIPAA compliance of devices and software.

If you send an email to johndoe@hotmail.com from your secure ZSentry email, how do they receive it? Both you, the sender, and the recipient can choose how, within your different roles. Suppose the sender chooses ‘Automatic Skin’, which is the default. The recipient gets a link to see an encrypted copy in the browser, and may also get a link to read the email directly in a Mail client (including Outlook, Apple Mail), where in both cases the recipient can reply securely with the From address that uses ZSentry. Alternatively, the sender can choose a different Skin and send the whole message encrypted, not just a link.

How does hotmail know how to decrypt the message? The link in Hotmail connects in SSL to zsentry.com where the request is processed according to the sender’s delivery request: for example, recipient must login. Or, recipient’s mailbox must be authenticated. In each case, the sender may allow reading only until expiration (self-destructing afterward), request a return receipt with Who, Where, When, What, How information, and request other options such as send back a secure archive copy that does not expire.

When you click Send in Google Apps, the zsentry.com site explains in http://zsentry.com/zsentry-google-setup.htm under ‘How It Works’ that your email is protected by ZSentry using encryption and authentication before transmission [by Google-ZSentry server-to-server SSL/SMTP], and will be delivered encrypted per-message, end-to-end [by ZSentry]. You receive ZSentry secure email at your own Inbox (in Gmail, Google Apps, or in a Mail Client using your Google account), can read & reply securely, and avoid online breach notification liability.

How this works internally at ZSentry? There are well-known and recognized standards for encryption of email, including ITU-T and IETF X.509/PKI with S/MIME, and PGP with or without PGP/MIME encoding. ZSentry was developed after these standards and improves upon them in both usability and security. ZSentry reduces the requirements in four critical areas, as mentioned in the FAQ (see link in previous comment).

There is no Business Associate Agreement to sign (and this is a good thing) as ZSentry complies with HITECH Safe Harbor.

Regarding HIPAA compliance, the FAQ page (mentioned in my previous reply) has the question ‘Is there any documentation from the government that ZSentry is HIPAA compliant? ‘ and answers it.

Joe A,
Thanks for sharing the details. I wish your website did a better job describing what you described in the hotmail example above. A video of it happening would be killer too. Then, people could literally see the sending of the email (you could talk about what’s happening in the background to secure the message) and then see the person opening the email in hotmail and what they’ll see as far as a link to an encrypted page.

I’m a big time google apps user, so I’ll have to give it a whirl. Looks like it’s free for personal use.

Thank you. I’ll pass your suggestions. The free personal use option (Basic) is fully functional with no setup, but excludes the second link to open in a Mail client (as it needs setup). Paid versions start at $2.99.

Transmitting PHI through unencrypted email is not, in itself, a HIPAA violation. There has to be evidence of a breach in order for it to violate HIPAA. The encryption standard is still an addressable, even with the HITECH modifications. The only thing that changes is that now encryption provides a safe harbor in the event of a breach.

The is no documented case of email ever being intercepted in-transit over the Internet. There are ways that your email can be intercepted at either end of the transmission, but encryption can not mitigate those risks. The bottom line is that there is very little chance that any email you send will ever be intercepted in transit, but you can eliminate the risk of being fined if it ever were to happen by using encryption.

Almost anything that travels over the internet is hackable, and email is the easiest of all unless it is encrypted, and even then, my bet is that NSA super computers can unencrypt even those.

I suggest that we stop thinking about “breach” and start thinking about “reducing the footprint of exposure”: sign up for an encryption service, but if you don’t, for sure don’t use content scanning email services like gmail.

Use complex password phrases instead of words. And don’t store patient emails on portable devices that can be lost/stolen. If you need access to patient emails, remote into a secured computer that has them. If your systems get backed up to tape or other disks, you must ensure those backups are encrypted. There are additional steps to be taken, but you get the drift.

All of this doesn’t prevent a “breach” but it reduces the probability profoundly AND shows due diligence in prevention, making the liability drop close to zero.

Yes, you’ve (again) nailed it – whether it’s secure email or migrating from paper to an EMR, practices and providers actually DOING it appears to still have a similarity to molasses on a cold day.

In my opinion, the barriers are still too high for the average provider/practice to move to an EMR: cost, difficulty of conversion, difficulty of learning a new complex thing while trying to make a living, disruption of existing business during transition, mitigating patient upsets when things go wrong, having encounter documentation take longer (or far longer) than paper, and of particular importance to a provider: not looking bad (incompetent, naive) in front of a patient while using the new EMR for the first few weeks.

The reality is, this is a really hard thing to do well, as evidenced by the huge numbers of failed EMR conversions and large number of second EMRs (replacing a first EMR).

However, in contrast, using encrypted email requires no learning, almost no cost, no commitment, no change to any other aspect of an operation. I think it’s simply an inertia thing, and also a lack of consciousness on the topic.

My guess is, sometime in the next 2 years we’ll have one really big legal event driven by a patient email breach incident and then we’ll see a flock of seagulls around the herring ball.

Speaking as a patient, not in the medical field: I have had readily available public encryption keys for well over a decade. I send & receive encrypted mail almost daily. Yet, I have not a single medical provider who has any clue how to send or receive secure email, they fax everything–which is particularly ironic as faxing dates to shortly after the US Civil war (yes, look it up) and is not secure at all.

…and lest you assume that I must be an IT guy to have been using encryption for more than a decade, no: My undergraduate degree in in photography, my graduate degree is in Theology.

Encryption is both free & easy. There are two well accepted systems; OpenPGP and x.509 either one is far more secure than the hipaa encryption requirements, and both are free; of course if you’d rather pay than think, vendors are available. Either way, please, get out of the 19th Century and start encrypting.

This is really interesting… I didn’t know that email isn’t HIPAA secure either until my hospital got in big trouble for having us nurses texting patient info. We just got a HIPAA compliant texting service called Tigertext & now we can text whatever we want without getting fined!!

Well, Lance, I appreciate your comment, and many of we docs are regular users of encryption using tools like OpenPGP…but our patients are NOT. How do you suggest going about installing OpenPGP on our patient’s systems, most of whom use content scanning providers?

When TLS is implemented between e-mail servers, the content of the messages exchanged between the servers is fully encrypted.

This also means that the e-mail CLIENTS and/or or web interfaces which are used to send and receive must ALSO be encrypted using either TLS or SSL.

The unfortunate part of the equation is that most e-mail vendors are not currently using TLS to encrypt the messages sent between the e-mail servers and that makes the messages send via the public internet the equivalent of a post card: anyone who has access to any device which is part of any of the networks through which the data passes can read the message and content.

In response to the several questions posed regarding whether PHI can be sent in an e-mail when a patient requests such data be send, the answer is NO!

There is NEVER an allowable situation when PHI can be transmitted in an unencrypted e-mail message, whether by patient request or not.

This also applies to inter and intra-office communications, because almost all office networks are connected to the internet cloud at some point and that means that someone who has the proper skills and technology available to them can, and at some point, will, snoop the traffic on the local network.

Remember, data is on a NEED TO KNOW BASIS under the latest HIPPA rules. The receptionist does not have the right to know about the diagnosis, etc. No one should have access to any of the patient data outside of what they need to work with a patient. If someone does not work with a patient, they should never be allowed to pull up the patient record and look at it.

The rules are strict for a reason – CONFIDENTIALITY.

I work in many different offices as a consultant and am amazed at the amount of gossip and non essential communication goes on regarding patient diagnosis. Under the latest HIPPA/HITECH regulations, I am a BUSINESS AGENT and have the obligation to tell the supervisory staff of the violations. I have been told to mind my own business on several occasions and remind them that if they do not correct the problem I have a legal obligation to open a report with OCR.

Keeping patient PHI private is everyone’s responsability, ALL of the time!

Interesting discussion, which I hope to re-energize! Note that the newly published Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (the long awaited HITECH final changes to HIPAA) has within the commentary section for 45 CFR 164.524(c) that providers are permitted to send individuals unencrypted emails, if they advise the individuals of the risk and the individual still wants the communication anyway. HHS seems to imply that this is just another way to meet the requirement that a health care provider must provide copies of health information in an electronic form or format as requested by the inidividual. At least the Feds are saying that providers are not responsible for unauthorized access of health information while in transmission to the individual based on the individual’s request. Won’t stop a lawsuit, of course.

Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use,
ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!

Email Address:

We never sell or give out your contact information. We respect our readers' privacy.